Péter Tabajdi
DevOps Engineer
2024.10.03
In recent weeks, we have seen a number of news portals, such as 444.hu, and civic services initiatives connected with, for example, the pre-election system, becoming the victims of overload attacks. The Hungarian government information website and the vaccine registration page for the Coronavirus, which was developed in Drupal, were also made unavailable for hours, reportedly due to similar attacks. Furthermore, the last few weeks have also seen attempts to blackmail banks into making their systems unavailable if they do not pay a ransom fee. There can be a lot of frustration and huge business - financial and reputational - damage if an important service becomes unavailable for hours or days, which is why it is so important to both prevent and protect against such threats. In this article, we will show you how you can secure yourself against such attacks in the cloud and what services Amazon Web Services (AWS) provides to protect your services.
There are many variations of overload attacks, but the method is often the same. Put simply, attackers direct non-real, robot visitor-generated traffic to a website in amounts that their servers and network devices cannot process quickly enough, thus overloading the servers and causing services to become unavailable. Sometimes, all an attacker needs to find a bug that can bring a system to its knees is a simple computer and an internet connection. That is why it is hugely important to pay attention to code quality and optimisation when creating software, and of course, it is recommended to only activate a system after it has been thoroughly tested.
For critical business applications, the so-called load test is used to help you find bottlenecks. It is also important to keep a thorough log of server, traffic and software activity, because without appropriate and easily-accessible log entries, you can only rush after events when trouble strikes. A disaster recovery plan (DRP) is advisable, and it also helps to have a well-documented system to save time.
Although there are trade-offs and workarounds to scale any classic web application, it is easier and more efficient to design software for the cloud and follow the 12-factor guidelines for application development.
The cost of building and operating a fault-tolerant and attack-resistant infrastructure is certainly higher than the cost of a cheaper virtual server (VPS) or shared hosting. If you are running a business-critical system, and a few hours or a few days of downtime can cause serious damage, it is easy to calculate how much you should spend on protection. Estimating and pre-estimating the costs and damage can help you to scale your system effectively.
Overload attacks are based on the concept of services running out of available capacity, so one solution would be to have more and more resources to defend ourselves. Fortunately, there are more sophisticated solutions than this, but beyond a certain point, you need to be able to scale your systems automatically, and managed cloud services are the cheapest, and safest way to do this. The world's most popular cloud provider is Amazon Web Services (AWS), which has become such a success story precisely because it had plenty of spare capacity to serve the online Amazon.com marketplace during periods of peak traffic without disruption, and was able to sell this unused capacity when it was not needed.
With the unlimited resources provided by AWS, built on so-called managed solutions, you can quickly and easily construct HA (high availability) systems. What HA solutions have in common is that the service remains available even if a server or even a server room goes down. This means that neither a power outage nor a breakdown in the internet service of a server room or an attack, can easily and quickly bring down the service provided by AWS.
Elastic Beanstalk is an AWS service that helps web applications and services run in a highly available, scalable way in the Amazon cloud. Essentially, the service helps users centrally and easily assemble and configure the AWS services they need to run their business.
An application can be run on EC2 (Elastic Compute Cloud) virtual machines, deployed automatically using different strategies, and scaled automatically by adding and removing machines using defined metrics. Traffic distribution/routing to appropriate servers is handled by AWS Elastic Load Balancing.
A more modern solution is to containerize your application and run it on AWS Elastic Container Service (ECS). This has a number of benefits, such as faster scaling and lower maintenance requirements. We use AWS Elastic Load Balancing to distribute traffic between our containers.
Our containerized application can also be served using Elastic Kubernetes Service (EKS), AWS's managed Kubernetes service, which provides great flexibility in many areas of operation.
Such systems present challenges that are not encountered in classical, "single-server" deployments. For example, our service, which runs in multiple instances on separate virtual servers or containers, cannot rely on data storage on the file system of the server(s). AWS provides several services to address this: the Amazon Elastic File System (EFS) provides an easy-to-use network file system that automatically scales for storage and performance, but you can also store data in the provider's object storage, Amazon Simple Storage Service (Amazon S3).
When developing a modern web application, your aim may be to develop an application that does not require servers. AWS provides several services that help you run such software and can be adapted to help you implement advanced functionality in your serverless application. In this article, AWS provides a hands-on demonstration of how to develop and run a serverless application using AWS Lambda, AWS API Gateway and AWS Amplify, while identifying users by integrating AWS Cognito and storing data in Amazon DynamoDB.
Amazon Web Application Firewall (WAF) helps protect your application and its infrastructure from malicious traffic. It allows you to use pre-built and updated rule sets from Amazon (or others) that provide general protection against most attacks from the web, or you can create your own rules that are specific to your application. This means our systems are protected against SQL Injection, Cross-Site Scripting (XSS) and other common attacks.
WAF integrates seamlessly with AWS Elastic Load Balancing load balancer and Amazon CloudFront CDN and caching.
The CloudFront CDN helps you quickly, securely and cost-effectively deliver your web application to visitors around the world. We also recommend using CDN if you are not looking to defend against attacks, but simply want to save on data traffic costs on AWS or provide fast access to your website visitors around the world.
DDoS is an attack in which a large number of IT devices are typically used to flood a target, such as a network or website, with traffic to disrupt its operation or force it to shut down or crash.
Amazon Shield is Amazon's denial of service protection service and is available in two versions: Standard, which is free to all users, provides a general layer of protection for network traffic coming into AWS, while Advanced provides additional functionality and access to the AWS DDoS rapid response team.
With CloudWatch, you can centralize your systems' metrics, logs and events, making them easy to see and easy to debug. This service visualizes and makes collected data easily searchable, giving you a clear view of operations. We can trigger automatisms or generate alerts in response to various events, helping us to resolve problems as quickly as possible.
With the right combination of the services described above, a significant proportion of malicious attacks can be handled and prevented. If you want to be sure, contact us, we will assess your systems and help you to put together the right cloud-based service package. Our advice is free of charge!
This article was originally published on the Cheppers website.